[PATCH 4.3] tipc: Fix kfree_skb() of uninitialised pointer

[PATCH 4.3] tipc: Fix kfree_skb() of uninitialised pointer

[Ben Hutchings]

[-- Attachment #1: Type: text/plain, Size: 863 bytes --]

Commit 7098356baca7 ("tipc: fix error handling of expanding buffer
headroom") added a "goto tx_error".  This is fine upstream, but
when backported to 4.3 it results in attempting to free the clone
before it has been allocated.  In this early error case, no
cleanup is needed.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/tipc/udp_media.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
index 86f2e7c..73bdf1b 100644
--- a/net/tipc/udp_media.c
+++ b/net/tipc/udp_media.c
@@ -162,7 +162,7 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
 	if (skb_headroom(skb) < UDP_MIN_HEADROOM) {
 		err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
 		if (err)
-			goto tx_error;
+			return err;
 	}
 
 	clone = skb_clone(skb, GFP_ATOMIC);

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 811 bytes --]

Patch "tipc: Fix kfree_skb() of uninitialised pointer" has been added to the 4.3-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    tipc: Fix kfree_skb() of uninitialised pointer

to the 4.3-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     tipc-fix-kfree_skb-of-uninitialised-pointer.patch
and it can be found in the queue-4.3 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From ben@decadent.org.uk  Thu Dec 17 14:16:22 2015
From: Ben Hutchings <ben@decadent.org.uk>
Date: Tue, 15 Dec 2015 21:21:57 +0000
Subject: tipc: Fix kfree_skb() of uninitialised pointer
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: stable@vger.kernel.org, ying.xue@windriver.com, "David S. Miller" <davem@davemloft.net>
Message-ID: <20151215212156.GQ28542@decadent.org.uk>
Content-Disposition: inline

From: Ben Hutchings <ben@decadent.org.uk>

Commit 7098356baca7 ("tipc: fix error handling of expanding buffer
headroom") added a "goto tx_error".  This is fine upstream, but
when backported to 4.3 it results in attempting to free the clone
before it has been allocated.  In this early error case, no
cleanup is needed.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/tipc/udp_media.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/tipc/udp_media.c
+++ b/net/tipc/udp_media.c
@@ -162,7 +162,7 @@ static int tipc_udp_send_msg(struct net
 	if (skb_headroom(skb) < UDP_MIN_HEADROOM) {
 		err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
 		if (err)
-			goto tx_error;
+			return err;
 	}
 
 	clone = skb_clone(skb, GFP_ATOMIC);


Patches currently in stable-queue which might be from ben@decadent.org.uk are

queue-4.3/tipc-fix-kfree_skb-of-uninitialised-pointer.patch
queue-4.3/revert-vrf-fix-double-free-and-memory-corruption-on-register_netdevice-failure.patch
queue-4.3/vrf-fix-double-free-and-memory-corruption-on-register_netdevice-failure.patch